Post navigation

Heartbleed Bug – What You Should And Shouldn’t Do

If you are looking for information about the Heartbleed bug and what you, or your business, should do next then the good news is that there is already a huge amount of information on the net and in mainstream media. The bad news, however, is that some of the advice on offer isn’t the greatest.

The Heartbleed bug is a vulnerability in a component of recent versions of SSL which is used by many services across the web including banks, email providers and shops, to provide a secure connection between the service and the user. Whilst the average web user may not be aware that they have used it, they will undoubtedly be familiar with the padlock icon in the top left corner of their browser which denotes that it is in use.

At around the same time that the flaw was identified, an online tool was released that allows anyone to force a web server running a vulnerable version of SSL to dump the data it has most recently processed. The information available from that data could be anything but there is a very real chance that it could include the usernames and passwords of recent visitors, administrator credentials and all manner of other sensitive data.

Anyone using such a tool on a vulnerable server could continuously dump data from the same or different sites and quickly compile a huge list of login credentials.

That is why many websites, bloggers and news outlets are advising everyone to change their passwords but there are some dangers associated with such simple advice.

The main issue is that some people may rush out to change all their passwords without arming themselves with additional essential information.

Should you change your password on a site that is vulnerable to Heartbleed, but not yet patched, then you will have achieved nothing and may even have made matters worse as your new password will now likely be easier to snag when the bad guys dump the server’s recent data. And don’t forget that the publicity surrounding the bug means that the number of people trying to take advantage of it has likely increased exponentially over the last few days which makes that possibility all the more likely.

Therefore, it would be advisable to do a little research before changing your login credentials.

Before changing any passwords you will want to know:

Was the website vulnerable in the first place

Has the server been patched yet

Has the site ejected its previous SSL certificate and replaced it with a new one

Has the entity behind the site confirmed that it has been fixed

To help you out I have listed a few high profile sites below to get you started:

Service

Is it vulnerable?

Has it been patched yet?

Should you change your password?

Amazon

No

Not Needed

Yes, if reused on another service that is vulnerable

Amazon Web Services

Yes

Yes

Yes

Apple

Unknown

Unknown

Unknown

Barclays

No

No

Yes, if reused on another service that is vulnerable

Dropbox

Yes

Yes

Yes

eBay

No

Not Needed

Yes, if reused on another service that is vulnerable

Evernote

No

Not Needed

Yes, if reused on another service that is vulnerable

Facebook

Yes

Yes

Yes

Fox News

No

Not Needed

Yes, if reused on another service that is vulnerable

GoDaddy

Yes

Yes

Yes

Google/Gmail

Yes

Yes

Yes

Hootsuite

No

Not Needed

Yes, if reused on another service that is vulnerable

HSBC

No

Not Needed

Yes, if reused on another service that is vulnerable

If This Then That

Yes

Yes

Site will force a password reset

LinkedIn

No

Not Needed

Yes, if reused on another service that is vulnerable

Lloyds

No

Not Needed

No

Microsoft services

No

Not Needed

Yes, if reused on another service that is vulnerable

OkCupid

Yes

Yes

Yes

PayPal

No

Not Needed

Yes, if reused on another service that is vulnerable

Pinterest

Yes

Yes

Yes

RBS/Natwest

No

Not Needed

Yes, if reused on another service that is vulnerable

Reddit

Yes

Yes

Yes

Santander

No

Not Needed

Yes, if reused on another service that is vulnerable

Tumblr

Yes

Yes

Yes

Twitter

No

Not Needed

Yes, if reused on another service that is vulnerable

Vimeo

Yes

Yes

Yes

Walmart

No

Not Needed

Yes, if reused on another service that is vulnerable

Washington Post

Yes

Yes

Yes

Wikipedia

Yes

Yes

Yes

Yahoo/Yahoo Mail

Yes

Yes

Yes

If you are concerned about sites not included in that list, and you likely are, then there are several tools available to help you determine whether or not a particular site is vulnerable:

If you identify that one or more of the sites you use is vulnerable you will then need to find out whether the problem has been fixed or not. The best way to do so is my visiting the site itself, or accompanying blog, where that information should be prominently displayed (one would hope). If it is not obvious whether the site has fixed the vulnerability then do yourself, and other web users, a favour by contacting the company or site owner and asking for confirmation.

Only when you have discovered a site that was both vulnerable, and subsequently fixed, should you change your password.

never make a password from personally identifying information such as pet or family member names

avoid common words, even in combination with other symbols or numbers

never share your passwords with anyone

use a password manager so you can keep track of all your passwords without writing them down

Furthermore, when changing any passwords as necessary, it would be a good time to see if the site offers two factor authentication which will add an additional security layer and make it much harder for an attacker to access the account, even if they do acquire your password.

Lastly, remember that popular news stories often lead to other types of attacks – be on your guard for emails suggesting that you click through some link to access Heartbleed bug detecting tools or offering fixes. Whilst some security companies may genuinely be sending out such tools or advice, phishers will likely be using such bait to snare additional victims too.

2 thoughts on “Heartbleed Bug – What You Should And Shouldn’t Do”

Another must do when it comes to Heartbleed is to create an inventory of all systems on your network that may be running OpenSSL. High profile websites are the obvious ones but in todays Internet of things world, many devices run web services. I checked my home network and found a NAS system and a network connected media player running OpenSSL